Wednesday, April 13, 2011

Self-Encrypting Hard Disks

I travel a lot with my laptop, and it can contain private information that shouldn't get disclosed if it's ever lost or stolen. For this reason, I've been using various types of disk encryption over the years, such as Ubuntu's encrypted home directory feature, to reasonably assure that my data remains private.

A few things have always bothered me with software encryption though. The first thing is the fact that software encryption is non-transparent. Although slight, there is a performance penalty in encrypting every read and write to your hard disk. Some people choose to only encrypt certain things to try and reduce that penalty. Do I only encrypt my home directory? What about my swap file or the /tmp directory? If I encrypt my swap file, do I give up hibernation, or do I make it ask me for a passphrase when I boot? What happens in case of disaster? Will I be able to boot a recovery cd and gain access to my data? Will I have saved the passphrase/encryption key somewhere safe in case an emergency arises?

Another issue is the fact that the decryption key necessary to access my encrypted volumes is located somewhere in RAM. There are a bunch of reasons why this is worrisome, from “Cold Boot” attacks, to hibernation, to simply having it leaked in some other way.

But the biggest gripe I have with software encryption is the “Evil Maid” scenario. Basically, every time I leave my laptop unattended, someone could boot off removable media, or physically plug my hard disk in another computer, and alter the software that is loaded before my encrypted volumes. The altered software could send them my encryption password as I type it, or could wait around for my volumes to be mounted before installing a back door. I need to stay physically present with my laptop at all times to make sure this scenario isn't possible, something I'm not always prepared to do. Although laptops are expensive, the loss or theft of an encrypted laptop is limited to the value of the hardware, not the incalculable value of its contents. Leaving my netbook in my hotel room is an easy choice to make if all I stand to lose is a couple of hundred dollars.

Since the hard disk that came with my Lenovo Thinkpad was a little small for my taste, I decided to replace it with a bigger one. In doing so, I specifically paid $20 more to get a model with FIPS 197 certified hardware encryption. These hard disks will encrypt everything that is stored on the physical platters with AES 128bit encryption, and a random key. When the disk is powered on, a standard ATA password is required to access it, and the password cannot be reset; if it is lost, the disk is no longer usable. A master password can be set that can be used to reinitialize the random key, so the disk is usable, but the data contained is lost.

For under $100, I now have an encrypted 500GB hard disk in my laptop that asks for a passphrase when I boot. Is this solution perfect? No. But, it's better than what I had before, and is perfectly adequate for my piece of mind.

10 comments:

I haven't measured it myself, but I've seen people who've benchmarked anywhere from a 5% to 50% performance penalty. It really depends what exactly you do...for normal users, it's probably not noticeable. For power-users and developers who compile stuff, it may have a bigger impact.

I don't think people understand the scope of "evil maid". If someone has means to make you type your password - be it BIOS or not - into a compromised machine, they will access all the data you unlock. The Ultimate Maid will replace your laptop's internals with a wireless link to the next room, intercepting your key presses and cloning video output. Paranoid? Yes. But a hardware keylogger isn't something impossible, so ask yourself again what are you getting from an encrypted drive.

@Koterpillar: There's a difference between trivially modifying a password program in an unencrypted initramfs, and replacing hardware/programming a custom BIOS. Of course it doesn't protect against UltimateMaid...but that's not who I am trying to protect against. As I said, not a perfect solution.

Thanks for this article, it was way more informative than i expected it to be! To help, if you ever need any assistance in company registration, do let us help, we are the best business incorporation firm out there!